What is 23 NYCRR 500?
The New York Department of Financial Services (NYDFS) began the enforcement of a new set of cybersecurity regulations for the banking, insurance, and financial sectors operating within the state of New York. The regulations were designed to encourage the development of durable processes and procedures necessary to protect customer data and underlying information technology systems. 23 NYCRR 500 went into effect on March 1, 2017 and specifically applies to "covered entities," those defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” For those organizations attempting to verify their supervision under 23 NYCRR 500, NYDFS has provided a search form and the key dates associated with each milestone. Numerous cybersecurity regulations are intended, and ultimately designed, to achieve the same result – effective security throughout the data life cycle.
Section 500.03 of 23 NYCRR 500 calls for the covered entity (typically the CISO) to create and maintain a Cybersecurity Policy with associated procedures “for the protection of its Information Systems and Nonpublic Information stored on those Information Systems.” Specifically, Section 500.03 (b) calls for "data governance and classification" to be included on those policy areas approved by a Senior Officer or the Covered Entity’s board of director s (or an appropriate committee thereof) or equivalent governing body.
The key tasks organizations must complete to comply with 23 NYCRR 500 include:
- Appointment a CISO (if one isn’t already in place)
- Perform risk assessments (which must be kept up to date on an ongoing basis)
- Document all organizational policies and procedures
- Perform penetration testing and vulnerability assessments
- Train all staff on a regular basis
- Monitor your assets and create audit trails
- Limit user privilege
- Securely destroy unnecessary data
Key Components Necessary To Achieve And Maintain 23 NYCRR 500 Compliancy
How Fortra’s Digital Guardian can help you comply with 23 NYCRR 500
Fortra's Digital Guardian helps organizations comply with 23 NYCRR 500 by providing comprehensive data protection and security measures that address key requirements of the regulation. Here's how Digital Guardian supports compliance:
Monitoring and Logging
Digital Guardian continuously monitors data access and usage, generating detailed logs that track all interactions with sensitive information. These logs are essential for detecting potential security incidents, auditing access, and demonstrating compliance with the regulation.
Incident Response
Digital Guardian enhances incident detection and response capabilities by providing real-time alerts and automated responses to potential threats. This enables organizations to quickly identify, contain, and mitigate security incidents, and comply with the regulation’s requirements for incident response and breach notification.
Data Loss Prevention (DLP):
Digital Guardian’s DLP solution prevents unauthorized data transfers, helping to secure NPI against leakage or unauthorized sharing. The platform can automatically block or flag suspicious activities, ensuring that sensitive data is not exposed.
Audit and Reporting
Digital Guardian offers comprehensive reporting tools that document compliance efforts, track access, and provide audit trails. These reports are crucial for internal audits, regulatory reviews, and demonstrating adherence to the regulation’s requirements.
Third-Party Vendor Management
Digital Guardian helps manage and monitor third-party access to NPI, ensuring that vendors and partners comply with the organization’s cybersecurity policies and 23 NYCRR 500 standards.